diff options
author | Dan Sinclair <dsinclair@chromium.org> | 2017-01-09 09:50:50 -0500 |
---|---|---|
committer | Chromium commit bot <commit-bot@chromium.org> | 2017-01-09 15:32:48 +0000 |
commit | 5f92eab76505fc6be2e5373390591a55be489b21 (patch) | |
tree | a4c230681c601cccc50f1e770bf6cfd3f91fe387 | |
parent | 0d164f894472b364b0673471eda49b5d4f209c96 (diff) | |
download | pdfium-5f92eab76505fc6be2e5373390591a55be489b21.tar.xz |
[libtiff] Validate refblackwhite values
The td_refblackwhite value is currently assigned without validation. This
may pose an issue as the image can specify the value as nan. This will cause
problems later when we use the nan in calcluations.
This CL validates each of the float values are not nan and if they are sets
them to the default provided by the TIFF spec v6.
BUG=chromium:632883
Change-Id: I17b01f744d3f5247c4bd3f42765a27b611dc7d8c
Reviewed-on: https://pdfium-review.googlesource.com/2151
Commit-Queue: dsinclair <dsinclair@chromium.org>
Reviewed-by: Tom Sepez <tsepez@chromium.org>
-rw-r--r-- | third_party/libtiff/0013-validate-refblackwhite.patch | 19 | ||||
-rw-r--r-- | third_party/libtiff/README.pdfium | 1 | ||||
-rw-r--r-- | third_party/libtiff/tif_dir.c | 8 |
3 files changed, 28 insertions, 0 deletions
diff --git a/third_party/libtiff/0013-validate-refblackwhite.patch b/third_party/libtiff/0013-validate-refblackwhite.patch new file mode 100644 index 0000000000..a314fbdc3f --- /dev/null +++ b/third_party/libtiff/0013-validate-refblackwhite.patch @@ -0,0 +1,19 @@ +diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c +index 73212c02d..16ce3d3ce 100644 +--- a/third_party/libtiff/tif_dir.c ++++ b/third_party/libtiff/tif_dir.c +@@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) + case TIFFTAG_REFERENCEBLACKWHITE: + /* XXX should check for null range */ + _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); ++ for (int i = 0; i < 6; i++) { ++ if (isnan(td->td_refblackwhite[i])) { ++ if (i % 2 == 0) ++ td->td_refblackwhite[i] = 0; ++ else ++ td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1; ++ } ++ } + break; + case TIFFTAG_INKNAMES: + v = (uint16) va_arg(ap, uint16_vap); diff --git a/third_party/libtiff/README.pdfium b/third_party/libtiff/README.pdfium index c55fc63f36..9acd4c7f63 100644 --- a/third_party/libtiff/README.pdfium +++ b/third_party/libtiff/README.pdfium @@ -22,3 +22,4 @@ Local Modifications: 0010-fix-leak-imagebegin: Fix a leak when TIFFRGBAImageBegin fails 0011-fix-leak-imagebegin2: Apply upstream fix related to our previous patch 0012-initialize-tif-rawdata.patch: Initialize tif_rawdata to guard against unitialized access +0013-validate-refblackwhite.patch: Make sure the refblackwhite values aren't nan. diff --git a/third_party/libtiff/tif_dir.c b/third_party/libtiff/tif_dir.c index 73212c02db..16ce3d3cee 100644 --- a/third_party/libtiff/tif_dir.c +++ b/third_party/libtiff/tif_dir.c @@ -426,6 +426,14 @@ _TIFFVSetField(TIFF* tif, uint32 tag, va_list ap) case TIFFTAG_REFERENCEBLACKWHITE: /* XXX should check for null range */ _TIFFsetFloatArray(&td->td_refblackwhite, va_arg(ap, float*), 6); + for (int i = 0; i < 6; i++) { + if (isnan(td->td_refblackwhite[i])) { + if (i % 2 == 0) + td->td_refblackwhite[i] = 0; + else + td->td_refblackwhite[i] = pow(2, td->td_bitspersample) - 1; + } + } break; case TIFFTAG_INKNAMES: v = (uint16) va_arg(ap, uint16_vap); |